The objective of Certbot, Let's Encrypt, and the ACME (Automated Certificate Management Environment) protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.

I've set it up for all my domains but I was unable to do it without any human intervention on my part in less than a minute; but setting it up for sub-domains like forums.debian.net might require some human intervention...

I do not know the reasons the forum admins have for not using https,but for the kind of forum it is, and the purpose of the forum, I thinkit is better not to use it (https), personally I do not like it much. Why ?, to many times it is problematic, I find it very annoyingwhen I try to access a site, and get that stupid warning, or errorsaying something is wrong with the certificate, bla , bla. Some times, if one jumps through some hoops, the site stillcan be accessed, but other times no. I think something to consider, if someone is trying to install Debian,and having problems, maybe they do not even have a DE and working"fancy browser", or also maybe the date and time on the system is not yetset correctly and that is something that can cause a "access denied" error,when https is being used. The point is, the user is trying to get help, maybe on a "crippled" system,the last thing I need, or others , is to get the (bad words) HTTPS "access denied"error,... I am glad this forum does not use https,... The other day, there was a problem here posted, and when I did some searches,one of the most promising looking links was at "archlinux",... Guess what ? When I tried to follow the link, the good for nothing https, " sorry this site can not beaccessed, the certificate is expired ",.... something to that extent,...It said the date it would be good, was in a few days,...and now, the "archlinux" site is accessable, but this is not the only time,..or only site,...it is a regularly occuringproblem with any site using https,... I can see how a e-mail service, banking, or some kinds of business sites need and should have the additional security,... but I don't think https is a good idea on a sitewhere many of the people trying to access need help, and may be trying to accesswith a system not working properly, ...and those are the people that need to beable to access the most. On many sites, the error message , is more like a warning, but it says "This site is not secure" Bla , Bla,...but does offer a "advanced" option, where one canstill access the site, if they want to , and don't mind the risk,... well on many of thosekind of sites,.... that is enough to scare me, and decide to try elsewhere, look for a site not using the "https" abomination,..... honestly most of the time I find https just plain annoying. And just because a site uses https, does not make it secure,...https is mostly a gimmick, being promoted to make money selling certificates,.....hopefully the"free certificates" maybe bring a end to that, I found some interesting things, ....of course the "https" promoters won't likethis , but ,........ anyway:

The actual act of securing a website is a very complex process. HTTPS does not stop attackers from hacking a website, web server or network. It will not stop an attacker from exploiting software vulnerabilities, brute forcing your access controls or ensure your websites availability by mitigating Distributed Denial of Services (DDOS) attacks.Here are a number of articles I’ve written that better explain the dynamic nature of securing your websites, and what happens when you don’t. Notice how HTTPS has very little to do with the process. ---snip--- To prove this point, you can see various examples in recent history in which several entities had their certificates spoofed. In 2014, Threatpost reported that a number of popular entities were having theircertificates spoofed:---- read more--

------------------------

Another: https://www.sott.net/article/275524-Why-HTTPS-and-SSL-are-not-as-secure-as-you-think----------------------------Some searches will show there are more,...in a nut shell "https" does not make anything more secure,... a server or website , forum can be hacked, scraped, etc, and all the data, "stolen", even when they are using https,.......so what is the point ? I suppose though, if it gives the forums members a false sense of security, and keeps them happy, well, then we need https,. sort of like a "pacifier",...... Then we will have the other, "unhappy members" complaining, "Hey why can't I access, it says the date is wrong", or the "certificate expired", etc..... Oh,... no that won't be a problem, they won'tbe able to access the forum,...so we won't get any complaints from them. The forum is working quite well, like it is. If it isn't broken, maybe it is best tonot try to fix it.

Last edited by GarryRicketson on 2016-11-26 15:44, edited 1 time in total.

Unlike self-issued certificates —which, for reasons described by GarryRicketson, admittedly can be a bit of a pain—I've had no issues with https certificates for my domains after installing the Debian packages for letsencrypt on my server which runs apache2. And I was able to set it up in no time at all.I take the view that —on principle— logins and passwords should under no circumstances be sent unencrypted over the 'net so as far as I'm concerned, the absence of https for these forums goes against the grain.One advantage of letsencrypt is that the option to access the site via https could be implemented easily in addition to http for users who prefer it.Since forums.debian.net is a subdomain of the domain debian.net —which I notice redirects to debian.org—then a letsencrypt certificate could only be done by the administrator of the main domain. See also viewtopic.php?f=12&t=129653&p=623723#p623720.There should be no problem doing this for the subdomain; for example:

Notice that sub-domain link packages.debian.org given by stevepusser is secured with a letsencrypt certificate whilst the main domain, debian.org, is verified by gandi.I recently set up a free letsencrypt certificate for a subdomain and the procedure is very similar to doing it for a virtual host; it's easy peasy once you know how.

I know it is a old topic, but any way, just because a site has a ssl certificate, does not mean it is secure, nor that it is the site one thinks it is. One thing though, not having the "https", results in the site no longer showingin the google search results, if it does show at all it is way down at the bottom, the "https" sites get listed first. The browsers now , also are making it harder to visit http sites, giving a warning, claiming it is not secure,... Interesting approach, the browser tellsme, this site is not secure because it does not use SSL, but they set a defaultsetting, so that if I go to a site using the "punny code" ,"Do a search for ‘punycode’ without quotes" (see the article) The default setting does not tell me or give me any warning, that the site isnot the one I think it is. I wonder why they put the default setting that way ?--------------------------

Postby kedaha »One advantage of letsencrypt is that the option to access the site via https could be implemented easily in addition to http for users who prefer it.

This would be the ideal situation, as I mentioned earlier, some one struggling with a crippled system, could have trouble accessing if it is https, that would give them a alternative. The other advantage, is having a https url (ssl certificate), would get this site back into the google search results , when people do do a search for solutions to problems, that have been solved here. All though it seems to come up pretty good on other search engines, it is notshowing in google and startpage as much as it used to, I don't know if any body else has noticed that, I have. After all said and done though, only the server/site owner, admin can do this,and if he does not want to, or does not have the time,..it will not happen.